[Cryptography] Kali Linux security is a joke!
Alfie John
alfiej at fastmail.fm
Tue Mar 17 15:31:17 EDT 2015
On Wed, Mar 18, 2015, at 05:32 AM, Viktor Dukhovni wrote:
> On Mon, Mar 16, 2015 at 12:07:08PM -0700, Henry Baker wrote:
>
> > So how come whenever you do apt-get in Kali Linux, it accesses
> > http://security.kali.org and http://http.kali.org
>
> All Debian-style repositories use HTTP, not HTTPS which makes them to
> mirror. The Release files are GPG signed by the distribution
> maintainers. The distribution keys should be part of the base
> installation media. Of course if you bootstrap via PXE, your MiTM
> attack starts there (the turtle at the bottom of the stack).
>
> > Hasn't Kali heard about MITM attacks against http.
>
> I would take some time to study the "apt" security model. It is not
> perfect, but the use of http is not a significant problem.
An issue with HTTP for apt is information leak. People listening on the
wire will know what software you're installing on machines.
Alfie
--
Alfie John
alfiej at fastmail.fm
More information about the cryptography
mailing list